US9769661B2 - Wireless network fast authentication / association using re-association object - Google Patents

Wireless network fast authentication / association using re-association object Download PDF

Info

Publication number
US9769661B2
US9769661B2 US14/680,023 US201514680023A US9769661B2 US 9769661 B2 US9769661 B2 US 9769661B2 US 201514680023 A US201514680023 A US 201514680023A US 9769661 B2 US9769661 B2 US 9769661B2
Authority
US
United States
Prior art keywords
association
key
sta
response
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
US14/680,023
Other languages
English (en)
Other versions
US20160295409A1 (en
Inventor
Soo Bum Lee
Jouni Kalevi Malinen
Anand Palanigounder
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qualcomm Inc
Original Assignee
Qualcomm Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qualcomm Inc filed Critical Qualcomm Inc
Priority to US14/680,023 priority Critical patent/US9769661B2/en
Assigned to QUALCOMM INCORPORATED reassignment QUALCOMM INCORPORATED ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MALINEN, Jouni Kalevi, LEE, SOO BUM, PALANIGOUNDER, ANAND
Priority to TW105107229A priority patent/TW201637469A/zh
Priority to EP16710908.1A priority patent/EP3281430A1/en
Priority to KR1020177028181A priority patent/KR20170134457A/ko
Priority to PCT/US2016/021604 priority patent/WO2016164135A1/en
Priority to CN201680020441.5A priority patent/CN107439029A/zh
Publication of US20160295409A1 publication Critical patent/US20160295409A1/en
Publication of US9769661B2 publication Critical patent/US9769661B2/en
Application granted granted Critical
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/062Pre-authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/12WLAN [Wireless Local Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/08Access point devices

Definitions

  • communications networks are used to exchange messages among several interacting spatially-separated devices.
  • Networks may be classified according to geographic scope, which could be, for example, a metropolitan area, a local area, or a personal area. Such networks would be designated respectively as a wide area network (WAN), metropolitan area network (MAN), local area network (LAN), wireless local area network (WLAN), or personal area network (PAN).
  • WAN wide area network
  • MAN metropolitan area network
  • LAN local area network
  • WLAN wireless local area network
  • PAN personal area network
  • Networks also differ according to the switching/routing technique used to interconnect the various network nodes and devices (e.g., circuit switching vs. packet switching), the type of physical media employed for transmission (e.g., wired vs. wireless), and the set of communication protocols used (e.g., Internet protocol suite, Synchronous Optical Networking (SONET), Ethernet, etc.).
  • SONET Synchronous Optical Networking
  • Wireless networks are often preferred when the network elements are mobile and thus have dynamic connectivity needs, or if the network architecture is formed in an ad hoc, rather than fixed, topology.
  • Wireless networks employ intangible physical media in an unguided propagation mode using electromagnetic waves in the radio, microwave, infra-red, optical, etc. frequency bands. Wireless networks advantageously facilitate user mobility and rapid field deployment when compared to fixed wired networks.
  • the apparatus may be a STA.
  • the STA sends, in a re-association procedure, a re-association object to a first AP to establish a first security association with the first AP.
  • the re-association object is encrypted by using a first key unknown to the STA.
  • the re-association object includes a second key derived from a second security association in a previous association procedure between the STA and a second AP.
  • the STA receives a response from the first AP indicating that the first security association has been successfully established.
  • the STA authenticates the response.
  • the apparatus may be an AP.
  • the AP receives, in a re-association procedure, a re-association object from a STA for establishing a first security association with the AP.
  • the re-association object is encrypted by using a first key unknown to the STA.
  • the re-association object includes a second key derived from a second security association in a previous association procedure between the STA and an AP.
  • the AP authenticates the re-association object based on the first key and the second key.
  • the AP establishes, in response to successfully authenticating the re-association object, the first security association with the STA.
  • the AP sends a response to the STA indicating the established first security association.
  • FIG. 1 shows an example wireless communication system in which aspects of the present disclosure may be employed.
  • FIG. 2 is a diagram illustrating techniques of authentication and association in a wireless network.
  • FIG. 3 is a diagram illustrating communications among wireless devices to establish a security association in a wireless network.
  • FIG. 4 is a diagram illustrating a re-association object.
  • FIG. 5 is a diagram illustrating communications among wireless devices to establish a security re-association in a wireless network.
  • FIG. 6(A) is a diagram illustrating a re-association request message.
  • FIG. 6(B) is a diagram illustrating a re-association success response message.
  • FIG. 7 shows an example functional block diagram of a wireless device that may be employed within the wireless communication system of FIG. 1 .
  • FIG. 8 is a flowchart of an example method of wireless communication for establishing re-association.
  • FIG. 10 is a flowchart of another example method of wireless communication for establishing re-association.
  • FIG. 11 is a flowchart of an example method of wireless communication for generating a re-association object.
  • FIG. 12 is a functional block diagram of an example wireless communication device.
  • WLAN wireless local area networks
  • a WLAN may be used to interconnect nearby devices together, employing widely used networking protocols.
  • the various aspects described herein may apply to any communication standard, such as a wireless protocol.
  • wireless signals may be transmitted according to an Institute of Electrical and Electronics Engineers (IEEE) 802.11 protocol using orthogonal frequency-division multiplexing (OFDM), direct-sequence spread spectrum (DSSS) communications, a combination of OFDM and DSSS communications, or other schemes.
  • OFDM orthogonal frequency-division multiplexing
  • DSSS direct-sequence spread spectrum
  • Implementations of the 802.11 protocol may be used for sensors, metering, and smart grid networks.
  • aspects of certain devices implementing the 802.11 protocol may consume less power than devices implementing other wireless protocols, and/or may be used to transmit wireless signals across a relatively long range, for example about one kilometer or longer.
  • a WLAN includes various devices which are the components that access the wireless network.
  • access points APs
  • clients also referred to as stations or “STAs”.
  • an AP may serve as a hub or base station for the WLAN and a STA serves as a user of the WLAN.
  • a STA may be a laptop computer, a personal digital assistant (PDA), a mobile phone, etc.
  • PDA personal digital assistant
  • a STA connects to an AP via a WiFi (e.g., IEEE 802.11 protocol) compliant wireless link to obtain general connectivity to the Internet or to other wide area networks.
  • a STA may also be used as an AP.
  • a station may also comprise, be implemented as, or known as an access terminal (AT), a subscriber station, a subscriber unit, a mobile station, a remote station, a remote terminal, a user terminal, a user agent, a user device, a user equipment, or some other terminology.
  • an access terminal may comprise a cellular telephone, a cordless telephone, a Session Initiation Protocol (SIP) phone, a wireless local loop (WLL) station, a personal digital assistant (PDA), a handheld device having wireless connection capability, or some other suitable processing device connected to a wireless modem.
  • SIP Session Initiation Protocol
  • WLL wireless local loop
  • PDA personal digital assistant
  • a phone e.g., a cellular phone or smartphone
  • a computer e.g., a laptop
  • a portable communication device e.g., a headset
  • a portable computing device e.g., a personal data assistant
  • an entertainment device e.g., a music or video device, or a satellite radio
  • gaming device or system e.g., a gaming console, a global positioning system device, or any other suitable device that is configured to communicate via a wireless medium.
  • association should be given the broadest meaning possible within the context of the present disclosure.
  • first apparatus associates with a second apparatus
  • second apparatus it should be understood that the two apparatus may be directly associated or intermediate apparatuses may be present.
  • handshake protocol that requires an “association request” by one of the apparatus followed by an “association response” by the other apparatus.
  • association response may be provided by the other apparatus.
  • any reference to an element herein using a designation such as “first,” “second,” and so forth does not generally limit the quantity or order of those elements. Rather, these designations are used herein as a convenient method of distinguishing between two or more elements or instances of an element. Thus, a reference to first and second elements does not mean that only two elements can be employed, or that the first element must precede the second element.
  • a phrase referring to “at least one of” a list of items refers to any combination of those items, including single members. As an example, “at least one of: A, B, or C” is intended to cover: A, or B, or C, or any combination thereof (e.g., A-B, A-C, B-C, and A-B-C).
  • a communication link that facilitates transmission from the AP 104 to one or more of the STAs may be referred to as a downlink (DL) 108
  • a communication link that facilitates transmission from one or more of the STAs to the AP 104 may be referred to as an uplink (UL) 110
  • DL communications may include unicast or multicast traffic indications.
  • the AP 104 may act as a base station and provide wireless communication coverage in a basic service area (BSA) 102 .
  • a BSA e.g., the BSA 102
  • the AP 104 along with the STAs associated with the AP 104 and that use the AP 104 for communication may be referred to as a basic service set (BSS).
  • BSS basic service set
  • the wireless communication system 100 may not have a central AP (e.g., AP 104 ), but rather may function as a peer-to-peer network between the STAs. Accordingly, the functions of the AP 104 described herein may alternatively be performed by one or more of the STAs.
  • a STA may be required to associate with the AP 104 in order to send communications to and/or to receive communications from the AP 104 .
  • information for associating is included in a beacon broadcast by the AP 104 .
  • the STA 114 may, for example, perform a broad coverage search over a coverage region. A search may also be performed by the STA 114 by sweeping a coverage region in a lighthouse fashion, for example.
  • the STA 114 may transmit a reference signal, such as an association probe or request, to the AP 104 .
  • the AP 104 may use backhaul services, for example, to communicate with a larger network, such as the Internet or a public switched telephone network (PSTN).
  • PSTN public switched telephone network
  • the AP 104 may include one or more modules for performing various functions.
  • the AP 104 may include an AP re-association (RA) module 124 to perform procedures related to controlling the establishment of re-association.
  • the AP RA module 124 may be configured to perform an association procedure with a STA including: (a) deriving a first key with the STA, and (b) establishing a security association between the AP and the STA corresponding to the first key.
  • the AP RA module 124 may be configured to send a re-association object to the STA.
  • the re-association object includes information regarding the security association and is encrypted with a second key unknown to the STA.
  • the AP RA module 124 may be configured to perform a re-association procedure with the STA based on the re-association object.
  • the STA 114 may include one or more modules for performing various functions.
  • the STA 114 may include a STA RA module 126 to perform procedures related to controlling the establishment of re-association.
  • the STA RA module 126 may be configured to perform an association procedure with at least one AP including: (a) deriving a first key with the at least one AP, and (b) establishing a security association between the STA and the at least one AP corresponding to the first key.
  • the STA RA module 126 may be configured to receive a re-association object from the at least one AP.
  • the re-association object includes information regarding the security association and is encrypted with a second key unknown to the STA.
  • the STA RA module 126 may be configured to perform a re-association procedure with the at least one AP based on the re-association object.
  • an AP 204 is in the same extended service set (ESS) or the same security domain (e.g., under a single administrative control) as the AP 104 .
  • An STA e.g., the STA 114
  • An AP 206 is not in the same ESS or the same security domain.
  • An STA e.g., the STA 114
  • An STA that previously established a security association with the AP 104 may still need to use a complete procedure to establish a security association with the AP 206 .
  • the STA 114 has a STA RA module 126 .
  • the AP 104 has an AP RA module 124 , which include a secret key 234 that is unknown to the STA 114 .
  • the STA 114 establishes a security association with the AP 104 .
  • the STA 114 and the AP 104 derive a PMK from an authentication server (AS) and establish a PMK security association (PMKSA).
  • PMKSA PMK security association
  • the STA 114 and the AP 104 derive a pairwise transient key (PTK) and establish a PTK security association (PTKSA).
  • PTK pairwise transient key
  • the AP RA module 124 constructs a re-association object 212 .
  • the re-association object 212 may include, among other things, the PTKSA data 214 and PMKSA data 216 .
  • the AP 104 encrypts the re-association object 212 using the secret key 234 .
  • the AP 104 transmits the encrypted re-association object 212 to the STA 114 .
  • the STA 114 stores the encrypted re-association object 212 at the STA RA module 126 . Subsequently, the STA 114 may disassociate with the AP 104 .
  • the STA 114 transmits a re-association request message to the AP 104 .
  • the re-association request message includes the encrypted re-association object 212 and an authentication tag, e.g., a message integrity code (MIC), created using the PTK.
  • the AP RA module 124 extracts the encrypted re-association object 212 from the re-association request message and then decrypts the encrypted re-association object 212 using the secret key 234 . Then, the AP RA module 124 retrieves the PTKSA data and PMKSA data from the re-association object 212 .
  • the AP verifies the authentication tag carried in the re-association message. Successful verification proves the STA's possession of PTK.
  • the AP RA module 124 constructs a re-association response message and encrypts the re-association response message by using the PTK.
  • the AP includes a group transient key (GTK) in the re-association response message.
  • GTK group transient key
  • the AP 104 sends the encrypted re-association response message to the STA 114 .
  • the STA RA module 126 decrypts the encrypted re-association response message by using the PTK from the PTKSA data 214 .
  • the STA 114 and the AP 104 establish a security association and communicated data encrypted by using the PTK.
  • the AP RA module 124 generates a new PTK 236 .
  • the AP 104 additionally includes the new PTK 236 in the re-association object 212 .
  • the STA 114 and the AP 104 establish a security association and communicate data encrypted by using the new PTK 236 .
  • the AP and the STA can derive a new PTK by running a 4-way handshake protocol based on the PMK in the PMKSA data (i.e., by rekeying via 4-way handshake).
  • the AP 104 and the AP 204 are in the same ESS or the same security domain (e.g., under a single administrative control).
  • the AP 104 can share the secret key 234 with the AP 204 .
  • the STA 114 can use the encrypted re-association object 212 to establish a security association with the AP 204 .
  • the AP 204 can use the shared secret key 234 to decrypt the encrypted re-association object 212 and obtain data (e.g., the PTKSA data and PMKSA data) stored in the re-association object 212 .
  • each secret key of an AP may be associated (or identified) by a re-association identifier (RAID).
  • RAID re-association identifier
  • the AP When constructing the re-association object, the AP includes in the re-association object the RAID of the secret key used to construct the re-association object.
  • Each of the APs 104 , 204 , and 206 may announce the RAID associated with the respective secret key used by the AP 104 , 204 , or 206 .
  • the RAID can be included in an information element (IE) of a beacon frame transmitted by the AP 104 , 204 , or 206 .
  • IE information element
  • the STA 114 can determine whether a stored re-association object has the same RAID and may be used for fast re-association. In other words, the STA 114 may determine whether the AP 104 , 204 , or 206 is using a shared secret key and whether a re-association object encrypted using the shared key (i.e., having the same RAID) is already stored at the STA 114 . If the STA 114 found such a re-association object, the STA can send the re-association object to the AP 104 , 204 , or 206 for fast authentication/association.
  • the STA can send the re-association object to the AP 104 , 204 , or 206 for fast authentication/association.
  • the STA 114 may not be able to determine whether the AP 104 , 204 , or 206 is using a shared secret key initially.
  • the STA 114 may perform a full procedure to establish a security association with the AP 104 , 204 , or 206 . Accordingly, the STA 114 may receive, at operation 297 , a re-association object from the AP 204 through a security association operation. Similarly, the STA 114 may receive, at operation 298 , a re-association object from the AP 206 through a security association operation.
  • the AP 206 may not be in the same ESS as the AP 104 and the AP 204 .
  • the STA 114 may determine based on the RAIDs that the re-association object received from the AP 206 is associated with a different secret key. Accordingly, the STA 114 may choose to store the re-association object received from the AP 206 . In other words, upon receiving a re-association object, the STA 114 retrieves the RAID of the newly received re-association object and checks the whether the retrieved RAID is the same as the RAID of a stored re-association object. If the STA determined that a stored re-association object has the same RAID, the STA can discard the newly received re-association object.
  • the STA 114 may discard the received re-association object. If the received re-association object is not encrypted using the same key, the STA 114 may store the received re-association object.
  • FIG. 3 is a diagram 300 illustrating communications among wireless devices to establish a security association in a wireless network.
  • the AP 104 may operate a BSS 380 .
  • the STA 114 may wish to join the BSS 380 .
  • the STA 114 and the AP 104 utilize an authentication process to establish their identity to a mutually acceptable level.
  • the STA 114 sends an authentication frame requesting open system authentication.
  • the AP 104 responds with an authentication frame indicating status “success.”
  • IEEE 802.1X is an IEEE Standard for Port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. IEEE 802.1X provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. With IEEE 802.1X, a station desiring access to a BSS authenticates with an AS 394 using the extensible authentication protocol (EAP). The AS 394 may be co-located with the AP or may be a separate system. IEEE 802.1X defines the protocol framework and encapsulation method for authentication but does not dictate the actual authentication method used. The method used is negotiated during the IEEE 802.1X exchange with the AS 394 and numerous methods are supported, some examples being EAP-Transport Layer Security (EAP-TLS), the Lightweight Extensible Authentication Protocol (LEAP), and EAP-MDS.
  • EAP-TLS EAP-Transport Layer Security
  • LEAP Lightweight Extensible Authentication Protocol
  • EAP-MDS EAP-MDS
  • the AP 104 sends, at operation 322 , an EAP request, challenging the STA 114 to identify itself.
  • the STA 114 responds with an EAP response to the AP 104 .
  • the AP 104 forwards the EAP response to the AS 394 .
  • an EAP authentication exchange is executed between the STA 114 and the AS 394 .
  • the AP 104 receives messages from the STA 114 or the AS 394 and, then, re-encapsulates and forwarding the messages to the other party.
  • the AS 394 sends a message to the AP 104 indicating the success, together with information for a PMK.
  • the AP 104 forwards an EAP-Success message to the STA 114 , signaling successful completion of the authentication.
  • the AS 394 informs the AP 104 and the AP sends an EAP-Failure message to the station followed by a disassociation frame. Subsequently, the AP 104 and the STA 114 negotiate to generate a PTK to protect traffic between the AP and an individual station and a GTK to protect the broadcast and multicast traffic sent by the AP.
  • a four-way handshake can be used to distribute the PTK and GTK and a two-way handshake to distribute the GTK when sent alone.
  • the PTK itself may not be sent, only information which, together with pre-shared information, can be used by both sides to derive the PTK.
  • the AP 104 sends a first key message to the STA 114 .
  • the first key message may carry an ANonce, which is a random number generated by the AP 104 and used only once.
  • the STA 114 On receipt of the first key message, the STA 114 generates a random number called the SNonce.
  • the STA 114 can derive the PTK.
  • the STA 114 sends a second key message to the AP 104 .
  • the second key message carries the SNonce generated by the STA 114 .
  • the AP 104 uses the information in second key message (including the SNonce), the ANonce, and knowledge of the PMK, the AP 104 derives the PTK.
  • the second key message also carries a MIC generated using the PTK and by which the STA 114 demonstrates to the AP 104 that it knows the PMK.
  • the AP 104 sends a third key message to the STA 114 .
  • the third key message may carry a GTK, if it is needed, encrypted using the PTK.
  • the third key message may also carry a MIC by which the AP 104 demonstrates to the STA 114 that the AP 104 knows the PMK.
  • the AP 104 indicates that the AP 104 is satisfied that the STA 114 station is who it says it is.
  • the STA 114 sends a fourth key message to the AP 104 .
  • the STA 114 confirms receipt of the GTK (if included in the third key message) and that the STA 114 is satisfied that the AP 104 is who it says it is.
  • a secure session is established between the AP 104 and the STA 114 .
  • Data frames can now be encrypted in both directions using the PTK.
  • the STA 114 and the AP 104 have established a PMKSA and a PTKSA.
  • the STA 114 has sent device specific information (e.g., MAC address) to the AP 104 .
  • the STA 114 stores the PTKSA data 214 , including the PTK and other information regarding the PTKSA between the STA 114 and the AP 104 , at the STA 114 (e.g., in the STA RA module 126 ).
  • the PTKSA data 214 may include, in addition to the PTK, one or more of a PTK ID, the device identities of the STA 114 and the AP 104 , and the MAC addresses of the STA 114 and the AP 104 .
  • the STA 114 may choose to store the PMKSA data 216 , including the PMK and other information regarding the PMKSA between the STA 114 and the AP 104 , at the STA 114 (e.g., in the STA RA module 126 ).
  • the PMKSA data 216 may include, in addition to the PMK, one or more of a PMK ID, the device identities of the STA 114 and the AP 104 , and the MAC addresses of the STA 114 and the AP 104 .
  • the GTK can be transmitted to the STA 114 from the AP 104 through a group key handshake. Specifically, at operation 354 , the AP 104 sends a first group key message to the STA 114 . The first group key message carries the GTK encrypted using the PTK. At operation 358 , the STA 114 responds with a second group key message, confirming receipt.
  • the four-way handshake described supra is performed whenever the PTK is refreshed.
  • the two-way group key handshake is performed when the GTK alone is refreshed.
  • the STA 114 and the AP 104 have created a robust security network association (RSNA).
  • RSNA robust security network association
  • the STA 114 can communicate, via the AP 104 , with a DHCP server 396 to obtain a dynamic Internet protocol (IP) address. Further, at operation 364 , the STA 114 can communicate with devices in another network via a gateway 398 using address resolution protocol (ARP) messages.
  • ARP address resolution protocol
  • the AP 104 may construct a re-association object 212 to facilitate the re-association of the STA 114 with the AP 104 .
  • the construction of the re-association object 212 my start at any time point at the AP 104 .
  • the AP 104 constructs a re-association object 212 .
  • FIG. 4 is a diagram 400 illustrating re-association objects 212 - 1 , 212 - 2 , 212 - 3 in accordance with various configurations.
  • Each of the re-association objects 212 - 1 , 212 - 2 , 212 - 3 includes a re-association data section 410 and optionally a MIC section 422 .
  • the re-association data section 410 of the re-association object 212 - 1 includes a PTKSA field 412 and a device ID field 418 .
  • the re-association data section 410 of the re-association object 212 - 2 includes the PTKSA field 412 and the device ID field 418 as well as optional fields of a PMKSA field 414 , an IP address field 416 , and a valid time field 420 .
  • the re-association data section 410 of the re-association object 212 - 3 includes the PTKSA field 412 and the device ID field 418 as well as optional fields of the PMKSA field 414 , the valid time field 420 , and an IP address field 416 .
  • the AP 104 constructs the re-association object 212 .
  • the AP 104 stores the PTKSA data 214 , including the PTK and other information regarding the PTKSA between the STA 114 and the AP 104 , in the PTKSA field 412 .
  • the PTKSA data 214 may include, in addition to the PTK, one or more of the PTK ID, the device identities of the STA 114 and the AP 104 , and the MAC addresses of the STA 114 and the AP 104 .
  • the AP 104 can store the PMKSA data 216 , including the PMK and other information regarding the PMKSA between the STA 114 and the AP 104 , in the PMKSA field 414 .
  • the PMKSA data 216 may include, in addition to the PMK, one or more of the PMK ID, the device identities of the STA 114 and the AP 104 , and the MAC addresses of the STA 114 and the AP 104 .
  • the AP 104 can store the IP address assigned to the STA 114 by the DHCP server 396 in the IP address field 416 .
  • the AP 104 can store information identifying the STA 114 in the device ID field 418 .
  • the information can be the MAC address of the STA 114 or a unique identifier that can be used to identify the STA 114 .
  • the AP 104 can store information indicating a valid time period for using the re-association object 212 in the valid time field 420 .
  • the information can be a timestamp indicating the expiration time of the re-association object 212 .
  • the AP 104 can also store in the valid time field 420 a timestamp indicating the time point at which the re-association object 212 is constructed.
  • the AP 104 can encrypt the data fields 412 , 414 , 416 , 418 , 420 using the secret key 234 and generate an encrypted re-association data section 410 .
  • the secret key 234 is unknown to the STA 114 .
  • the AP 104 can use a MIC algorithm and the secret key 234 to calculate an integrity code of the encrypted re-association data section 410 .
  • the AP 104 can store the integrity code in the MIC section 422 .
  • the AP 104 sends the encrypted re-association object 212 to the STA 114 .
  • the STA 114 stores the encrypted re-association object 212 and information relevant to the encrypted re-association object 212 .
  • the information may indicate the identity of the AP 104 that issued the encrypted re-association object 212 .
  • FIG. 5 is a diagram 500 illustrating communications among wireless devices to establish a security re-association in a wireless network.
  • the AP 104 periodically transmits beacon frames.
  • the STA 114 executes a scanning operation to discover the BSS 380 and the attributes associated with the BSS 380 .
  • the STA 114 may detect the beacon frame transmitted by the AP 104 .
  • the beacon frame carries regulatory information, capability information, and information for managing the BSS.
  • the STA 114 can obtain the identities of the AP 104 and the BSS 380 from the beacon frame.
  • the STA 114 may have stored one or more re-association objects from different APs.
  • the STA 114 may use information regarding the identities of the AP 104 and the BSS 380 to search the re-association objects stored at the STA 114 and to determine whether a re-association object issued by the AP 104 is stored at the STA 114 . If the STA 114 is able to obtain a re-association object issued by the AP 104 , the STA 114 can use that re-association object to establish a re-association with the AP 104 .
  • FIG. 6(A) is a diagram 600 illustrating a re-association request message.
  • a re-association request message 610 includes a device ID field 614 , a re-association object field 618 , and an authentication tag field 620 .
  • the device ID field 614 is used to carry information identifying a sender of the re-association request message 610 .
  • the re-association object field 618 is used to carry a re-association object issued by an AP.
  • the authentication tag field 620 can be used to carry a MIC of the re-association object calculated by using a PTK derived by the AP and the STA.
  • the STA 114 may construct a re-association request message 610 .
  • the STA 114 may store the MAC address of the STA 114 in the device ID field 614 .
  • the STA 114 may store the re-association object 212 in the re-association object field 618 .
  • the STA 114 calculates a MIC of the re-association object 212 using the PTK and then stores the MIC in the authentication tag field 620 .
  • the STA 114 sends the re-association request message 610 to the AP 104 .
  • the re-association request message 610 can be sent through one or more data frames or management frames.
  • the AP 104 extracts the re-association object 212 from the re-association request message 610 .
  • the AP 104 locates the encrypted re-association data section 410 and the MIC section 422 .
  • the AP 104 calculates an integrity code of the encrypted re-association data section 410 using the secret key 234 .
  • the AP 104 compares the calculated integrity code with the integrity code extracted from the MIC section 422 . If the two integrity codes do not match, the AP 104 can determine that the re-association object 212 is not valid at the AP 104 .
  • the AP 104 attempts to use the secret key 234 to decrypt the encrypted re-association data section 410 . If the AP 104 is unable to decrypt the encrypted re-association data section 410 using the secret key 234 , the AP 104 can determine that the re-association object 212 is not valid at the AP 104 .
  • the AP 104 If the AP 104 is able to decrypt the encrypted re-association data section 410 using the secret key 234 , the AP 104 then extracts data from each field of the re-association object 212 , which are now decrypted.
  • the AP 104 can extract the PTK from the PTKSA field 412 . Using the PTK, the AP 104 calculates a MIC of the re-association object 212 stored in the re-association object field 618 . Then the AP 104 compares the calculated MIC with the MIC stored in the authentication tag field 620 . If the MICs match, the AP 104 can determine that the STA 114 has the PTK stored in the re-association object 212 . If the MICs do not match, the AP 104 can determine that the STA 114 do not have the PTK stored in the re-association object 212 and, consequently, that the re-association object 212 is not valid.
  • the AP 104 further determines whether data, such as those indicating expiration timestamp, are stored in the valid time field 420 . The AP 104 then determines whether the re-association object 212 is still valid at the current time point based on the data. For example, if the current time point is after the expiration timestamp, the AP 104 can determine that the re-association object 212 is no longer valid.
  • the AP 104 can extract data, if any, from each of the PTKSA field 412 , the PMKSA field 414 , and the IP address field 416 . Accordingly, the AP 104 can obtain the PTK of a previous PTKSK between the STA 114 and the AP 104 . In one configuration, using the PTK and the PTKSA data stored in the PTKSA field 412 , the AP 104 can re-establish the PTKSA for the STA 114 at the AP 104 . In one configuration, as will be described infra, the AP 104 may choose to generate a new PTK and use the new PTK to establish a new PTKSA with the STA 114 .
  • the AP 104 can communicate with the DHCP server 396 to request a new IP address for the STA 114 . Further, if the PMKSA DATA 216 is available from the PMKSA field 414 , the AP 104 can obtain the PMK of a previous PMKSK between the STA 114 and the AP 104 . Using the PMK and the PMKSA data stored in the PMKSA field 414 , the AP 104 may choose to re-establish the PMKSA for the STA 114 at the AP 104 .
  • FIG. 6(B) is a diagram 650 illustrating a re-association success response message.
  • a re-association success response message 660 may include an IP address field 664 and a new PTK field 668 .
  • the IP address field 664 is used to carry an IP address assigned to the STA requesting re-association.
  • the new PTK field 668 is used to carry a PTK to be used to establish a PTKSA.
  • the AP 104 may store the IP address assigned to the STA 114 in the IP address field 664 . Further, in one configuration, optionally at operation 522 prior to operation 524 , the AP 104 may choose to generate a new PTK. For example, the AP 104 and the STA 114 may choose to derive a new PTK through a four-way handshake using the PMKSA data as described supra, and accordingly establish a new PTKSA. Alternatively, the AP 104 may randomly generate a unique PTK, and establishes a new PTKSA for the STA 114 based on the randomly generated new PTK.
  • the STA 114 After receiving the re-association response message, at operation 528 , the STA 114 determines whether the re-association operation is successful. If the STA 114 receives a re-association response failure message, the STA 114 determines that the re-association operation is not successful and may use the procedure described with respect to the FIG. 3 to establish a security association with the AP 104 .
  • the STA 114 may then attempt to use the PTK from the PTKSA data 214 to decrypt the re-association success response message 660 .
  • the STA 114 may then attempt to use the new PTK derived in operation 522 to decrypt the re-association success response message 660 .
  • the STA 114 can determine that the AP 104 was able to decrypt the re-association object 212 and obtain the PTK from the PTKSA field 412 . Accordingly, the STA 114 can confirm the identity of the AP 104 (i.e., the AP that sent the re-association object 212 ). The STA 114 can then determine that the re-association operation is successful. After successfully decrypting the re-association success response message 660 , the STA 114 can obtain the IP address from the IP address field 664 and use the IP address as the IP address of the STA 114 .
  • the STA 114 may use the new PTK to complete establishing the new PTKSA with the AP 104 . Accordingly, at operation 532 , the STA 114 and the AP 104 can communicate data encrypted using the new PTK. If there is no new PTK in the re-association success response message 660 and the STA 114 did not establish a new PTKSA through a four-way handshake with the AP 104 in operation 522 , the STA 114 may use the previous PTK from the PTKSA data 214 to complete re-establishing the PTKSA with the AP 104 . Accordingly, at operation 532 , the STA 114 and the AP 104 can communicate data encrypted using the previous PTK.
  • the processor 704 may comprise or be a component of a processing system implemented with one or more processors.
  • the one or more processors may be implemented with any combination of general-purpose microprocessors, microcontrollers, digital signal processors (DSPs), field programmable gate array (FPGAs), programmable logic devices (PLDs), controllers, state machines, gated logic, discrete hardware components, dedicated hardware finite state machines, or any other suitable entities that can perform calculations or other manipulations of information.
  • the processing system may also include machine-readable media for storing software.
  • Software shall be construed broadly to mean any type of instructions, whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise. Instructions may include code (e.g., in source code format, binary code format, executable code format, or any other suitable format of code). The instructions, when executed by the one or more processors, cause the processing system to perform the various functions described herein.
  • the wireless device 702 may also include a housing 708 that may include a transmitter 710 and/or a receiver 712 to allow transmission and reception of data between the wireless device 702 and a remote device.
  • the transmitter 710 and the receiver 712 may be combined into a transceiver 714 .
  • An antenna 716 may be attached to the housing 708 and electrically coupled to the transceiver 714 .
  • the wireless device 702 may also include (not shown) multiple transmitters, multiple receivers, multiple transceivers, and/or multiple antennas.
  • the wireless device 702 may also comprise a RA module 724 .
  • the RA module 724 may be configured to perform an association procedure with at least one AP including: (a) deriving a first key with the at least one AP, and (b) establishing a security association between the STA and the at least one AP corresponding to the first key.
  • the RA module 724 may be configured to receive a re-association object from the at least one AP.
  • the re-association object includes information regarding the security association and is encrypted with a second key unknown to the STA.
  • the RA module 724 may be configured to perform a re-association procedure with the at least one AP based on the re-association object.
  • the wireless device 702 may also comprise a RA module 724 .
  • the RA module 724 may be configured to perform an association procedure with a STA including: (a) deriving a first key with the STA, and (b) establishing a security association between the AP and the STA corresponding to the first key.
  • the RA module 724 may be configured to send a re-association object to the STA.
  • the re-association object includes information regarding the security association and is encrypted with a second key unknown to the STA.
  • the RA module 724 may be configured to perform a re-association procedure with the STA based on the re-association object.
  • the processor 704 may be used to implement not only the functionality described above with respect to the processor 704 , but also to implement the functionality described above with respect to the signal detector 718 , the DSP 720 , the user interface 722 , and/or the RA module 724 . Further, each of the components illustrated in FIG. 7 may be implemented using a plurality of separate elements.
  • FIG. 8 is a flowchart of an example method 800 of wireless communication for establishing re-association.
  • the method 800 may be performed using a STA (e.g., the STA 114 or the wireless device 702 , for example).
  • a STA e.g., the STA 114 or the wireless device 702 , for example.
  • the method 800 is described below with respect to the elements of wireless device 702 of FIG. 7 , other components may be used to implement one or more of the steps described herein.
  • the STA may receive a re-association identifier associated with the first key from a first AP. For example, referring to FIG. 2 , each of the APs 104 , 204 , and 206 may announce the RAID associated with the respective secret key used by the AP 104 , 204 , or 206 .
  • the STA may determine that the re-association identifier received from the first AP matches a re-association identifier of a re-association object. For example, referring to FIG.
  • the STA 114 upon receiving the RAID (e.g., through a beacon frame) from an AP 104 , 204 , or 206 , the STA 114 can determine whether a stored re-association object has the same RAID and may be used for fast re-association.
  • the RAID e.g., through a beacon frame
  • the STA receives a response from the first AP indicating that the first security association has been successfully established (e.g., at operation 524 of FIG. 5 ).
  • the response may be encrypted by using the second key.
  • the response is encrypted by using the third key.
  • the STA may authenticate the response (e.g., at operation 528 of FIG. 5 ).
  • the STA may decrypt the re-association response message by using the second key.
  • the STA may decrypt the re-association response message by using the third key.
  • FIG. 10 is a flowchart of an example method 1000 of wireless communication for establishing re-association.
  • the method 1000 may be performed using an AP (e.g., the AP 104 or the wireless device 702 , for example).
  • AP e.g., the AP 104 or the wireless device 702 , for example.
  • the method 1000 is described below with respect to the elements of wireless device 702 of FIG. 7 , other components may be used to implement one or more of the steps described herein.
  • the AP may obtain a first key from another AP.
  • the AP 104 can share the secret key 234 with the AP 204 .
  • the AP receives a re-association object from a STA for establishing a first security association with the AP (e.g., at operation 512 of FIG. 5 ).
  • the re-association object is encrypted by using a first key unknown to the STA.
  • the re-association object includes a second key derived from a second security association in a previous association procedure between the STA and an AP.
  • the AP authenticates the re-association object based on the first key and the second key (e.g., at operation 516 of FIG. 5 ).
  • the re-association object may include first device specific information.
  • the re-association object may be included in a re-association request message received from the STA.
  • the re-association request message further may include second device specific information associated with the STA.
  • the AP may authenticate the re-association object based on matching the first device specific information with the second device specific information (e.g., at operation 516 of FIG. 5 ).
  • the AP may retrieve an integrity code from the re-association object (e.g., at operation 516 of FIG. 5 ).
  • the AP may verify integrity of data of the re-association object by using the first key and the integrity code (e.g., at operation 516 of FIG. 5 ).
  • the AP may retrieve the second key from the re-association object (e.g., at operation 516 of FIG. 5 ).
  • the AP may derive a third key with the STA (e.g., at operation 522 of FIG. 5 ).
  • the AP establishes, in response to successfully authenticating the re-association object, the first security association with the STA.
  • the first security association is established according to the second key (e.g., at operation 516 of FIG. 5 ).
  • the first security association is established according to the third key (e.g., at operation 522 of FIG. 5 ).
  • the AP may retrieve an IP address from the re-association object (e.g., at operation 516 of FIG. 5 ).
  • the AP may assign the IP address to the STA.
  • the AP may retrieve, in the re-association procedure, an indication of time from the re-association object (e.g., at operation 516 of FIG. 5 ).
  • the AP may determine whether the re-association object is expired based on the retrieved indication of time (e.g., at operation 516 of FIG. 5 ).
  • FIG. 11 is a flowchart of an example method 1100 of wireless communication for generating a re-association object.
  • the method 1100 may be performed using an AP (e.g., the AP 104 or the wireless device 702 , for example).
  • AP e.g., the AP 104 or the wireless device 702 , for example.
  • the method 1100 is described below with respect to the elements of wireless device 702 of FIG. 7 , other components may be used to implement one or more of the steps described herein.
  • the AP may obtain a PMK (e.g., at operations 338 - 350 of FIG. 3 ).
  • the AP may establish a PMK security association with the STA corresponding to the PMK (e.g., at operations 338 - 350 of FIG. 3 ).
  • the AP may derive the second key with the STA (e.g., at operations 338 - 350 of FIG. 3 ).
  • the AP may establish the second security association with the STA corresponding to the second key (e.g., at operations 338 - 350 of FIG. 3 ).
  • the AP may generate the re-association object (e.g., at operation 366 of FIG. 3 ). The AP may encrypt the re-association object by using the first key.
  • the second key may be a PTK.
  • the second security association may be a PTK security association.
  • the AP may include in the re-association object information specifying the PTK security association (e.g., at operation 366 of FIG. 3 ).
  • the AP may receive first device specific information from the STA and may include the first device specific information in the re-association object (e.g., at operations 338 - 350 of FIG. 3 ).
  • the AP may obtain an IP address for the STA and may include the IP address in the re-association object (e.g., at operations 362 and 366 of FIG. 3 ).
  • the AP may encrypt the re-association object by using the first key (e.g., at operation 366 of FIG. 3 ).
  • the AP may generate an integrity code of data of the re-association object by using the first key and may include the integrity code in the re-association object (e.g., at operation 366 of FIG. 3 ).
  • the AP may send the re-association object to the STA (e.g., at operation 366 of FIG. 3 ).
  • FIG. 12 is a functional block diagram of an example wireless communication device 1200 .
  • the wireless communication device 1200 may include a receiver 1205 , a processing system 1210 , and a transmitter 1215 .
  • the processing system 1210 may include a RA module 1224 .
  • the processing system 1210 , the RA module 1224 , and/or the receiver 1205 may be configured to measure an energy level of a transmission channel.
  • the wireless communication device 1200 may be utilized by a STA.
  • the receiver 1205 , the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 may be configured to perform an association procedure with at least one AP including: (a) deriving a first key with the at least one AP, and (b) establishing a security association between the STA and the at least one AP corresponding to the first key.
  • the receiver 1205 , the processing system 1210 , and/or the RA module 1224 may be configured to receive a re-association object from the at least one AP.
  • the re-association object includes information regarding the security association and is encrypted with a second key unknown to the STA.
  • the receiver 1205 , the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 may be configured to perform a re-association procedure with the at least one AP based on the re-association object.
  • the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 may be configured to send a re-association request to an AP.
  • the re-association request includes the re-association object.
  • the receiver 1205 , the processing system 1210 , and/or the RA module 1224 may be configured to receive a re-association response from the AP.
  • the re-association response is encrypted using the first key.
  • the processing system 1210 and/or the RA module 1224 may be configured authenticate the re-association response based on the first key.
  • the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 may be configured to send first device specific information to the AP in the association procedure.
  • the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 may be configured to send second device specific information to the AP in the re-association procedure.
  • the re-association object includes the first device specific information.
  • the first and second device specific information each include MAC address.
  • the re-association object includes at least one of a PMK and a PTK.
  • the at least one AP from which the re-association object is received and the AP to which the re-association request is sent are different APs.
  • the at least one AP from which the re-association object is received and the AP to which the re-association request is sent are the same AP.
  • the security association is an RSNA.
  • the association procedure is performed with a plurality of APs, and a re-association object is received from each of the plurality of APs.
  • the processing system 1210 and/or the RA module 1224 may be configured to selectively store the received re-association object based on a predetermined rule.
  • the processing system 1210 and/or the RA module 1224 may be configured to determine whether a given received re-association object is encrypted using a key that is the same as a key using which a re-association object already stored at the STA is encrypted. The processing system 1210 and/or the RA module 1224 may be configured to discard the given received re-association object in response to a determination that the given received re-association object is encrypted using the same key.
  • the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 may be configured to send a re-association request to an AP.
  • the re-association request includes the re-association object.
  • the processing system 1210 and/or the RA module 1224 may be configured to derive a third key with the AP.
  • the receiver 1205 , the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 may be configured to establish another security association between the STA and the AP corresponding to the third key.
  • the receiver 1205 , the processing system 1210 , and/or the RA module 1224 may be configured to receive a re-association response from the AP.
  • the re-association response is encrypted using the third key.
  • the processing system 1210 and/or the RA module 1224 may be configured to authenticate the re-association response based on the third key.
  • the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 may be configured to sends a re-association request to an AP.
  • the re-association request includes the re-association object.
  • the receiver 1205 , the processing system 1210 , and/or the RA module 1224 may be configured to receive a re-association response from the AP.
  • the re-association response is encrypted using the first key.
  • the processing system 1210 and/or the RA module 1224 may be configured to authenticate the re-association response based on the first key.
  • the receiver 1205 , the processing system 1210 , and/or the RA module 1224 may be configured to receive a third key encrypted using the first key.
  • the receiver 1205 , the processing system 1210 , and/or the RA module 1224 may be configured to establish another security association with the AP using the third key.
  • the re-association object includes an IP address.
  • the re-association procedure includes associating the STA with the IP address.
  • the wireless communication device 1200 may be utilized by an AP.
  • the receiver 1205 , the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 may be configured to perform an association procedure with a STA including: (a) deriving a first key with the STA, and (b) establishing a security association between the AP and the STA corresponding to the first key.
  • the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 may be configured to send a re-association object to the STA.
  • the re-association object includes information regarding the security association and is encrypted with a second key unknown to the STA.
  • the processing system 1210 and/or the RA module 1224 may be configured to perform a re-association procedure with the STA based on the re-association object.
  • the receiver 1205 , the processing system 1210 , and/or the RA module 1224 may be configured to receive a re-association request from the STA.
  • the re-association request includes the re-association object.
  • the processing system 1210 and/or the RA module 1224 may be configured to authenticate the re-association object based on the second key unknown to the STA and a PTK retrieved from the re-association object.
  • the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 may be configured to send a re-association response to the STA upon authenticating the re-association object.
  • the re-association response is encrypted using the first key.
  • the receiver 1205 , the processing system 1210 , and/or the RA module 1224 may be configured to receive first device specific information in the association procedure.
  • the receiver 1205 , the processing system 1210 , and/or the RA module 1224 may be configured to receive second device specific information in the re-association procedure.
  • the re-association object includes the first device specific information.
  • the performing the re-association procedure includes authenticating the re-association object based on first and second device specific information.
  • the first and second device specific information each include a MAC address.
  • the re-association object includes at least one of a PMK and a PTK.
  • the processing system 1210 and/or the RA module 1224 may be configured to retrieve an IP address from the re-association object.
  • the processing system 1210 and/or the RA module 1224 may be configured to assign the IP address to the STA.
  • the processing system 1210 and/or the RA module 1224 may be configured to include the IP address in the re-association response.
  • the receiver 1205 , the processing system 1210 , and/or the RA module 1224 may be configured to receive a re-association request from the STA.
  • the re-association request includes the re-association object.
  • the processing system 1210 and/or the RA module 1224 may be configured to derive a third key with the STA.
  • the receiver 1205 , the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 may be configured to establish another security association between the AP and the STA corresponding to the third key.
  • the processing system 1210 and/or the RA module 1224 may be configured to authenticate the re-association object based on the second key unknown to the STA and a PTK retrieved from the re-association object.
  • the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 may be configured to send a re-association response to the STA upon authenticating the re-association object.
  • the re-association response is encrypted with
  • the receiver 1205 , the processing system 1210 , and/or the RA module 1224 may be configured to receive a re-association request from the STA.
  • the re-association request includes the re-association object.
  • the re-association object includes the first key.
  • the processing system 1210 and/or the RA module 1224 may be configured to authenticate the re-association object based on the second key unknown to the STA and a PTK retrieved from the re-association object.
  • the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 may be configured to send a re-association response to the STA upon authenticating the re-association object.
  • the re-association response is encrypted using the first key.
  • the processing system 1210 and/or the RA module 1224 may be configured to generate a third key.
  • the processing system 1210 and/or the RA module 1224 may be configured to encrypt the third key using the first key and send the encrypted third key to the STA.
  • the receiver 1205 , the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 may be configured to establish another security association between the AP and the STA using the third key.
  • the re-association object is valid for a predetermined period of time.
  • the security association is an RSNA.
  • the processing system 1210 and/or the RA module 1224 may be configured to assign an IP address to the STA.
  • the processing system 1210 and/or the RA module 1224 may be configured to include the IP address in the re-association object.
  • the receiver 1205 , the processing system 1210 , and/or the RA module 1224 may be configured to receive a second key unknown to a STA from another AP.
  • the receiver 1205 , the processing system 1210 , and/or the RA module 1224 may be configured to receive a re-association request from the STA.
  • the re-association request includes a re-association object and second device specific information.
  • the re-association object includes a first key known to the STA and first device specific information.
  • the processing system 1210 and/or the RA module 1224 may be configured to authenticate the re-association object based on the second key and the first and second device specific information.
  • the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 may be configured to send a re-association response encrypted using the first key to the STA upon authenticating the re-association object.
  • the receiver 1205 , the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 may be configured to perform one or more operations discussed above with respect to FIGS. 8-11 .
  • the receiver 1205 may correspond to the receiver 712 .
  • the processing system 1210 may correspond to the processor 704 .
  • the transmitter 1215 may correspond to the transmitter 710 .
  • the RA module 1224 may correspond to the AP RA module 124 , the STA RA module 126 , and/or the RA module 724 .
  • means for performing an association procedure with at least one AP may comprise the processing system 1210 and/or the RA module 1224 .
  • Means for receiving a re-association object from the at least one AP may comprise the receiver 1205 , the processing system 1210 , and/or the RA module 1224 .
  • Means for performing a re-association procedure with the at least one AP based on the re-association object may comprise the receiver 1205 , the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 .
  • Means for performing an association procedure with a STA may comprise the processing system 1210 and/or the RA module 1224 .
  • Means for sending a re-association object to the STA may comprise the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 .
  • Means for performing a re-association procedure with the STA based on the re-association object may comprise the receiver 1205 , the processing system 1210 , the RA module 1224 , and/or the transmitter 1215 .
  • any suitable means capable of performing the operations such as various hardware and/or software component(s), circuits, and/or module(s).
  • any operations illustrated in the Figures may be performed by corresponding functional means capable of performing the operations.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
US14/680,023 2015-04-06 2015-04-06 Wireless network fast authentication / association using re-association object Expired - Fee Related US9769661B2 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
US14/680,023 US9769661B2 (en) 2015-04-06 2015-04-06 Wireless network fast authentication / association using re-association object
PCT/US2016/021604 WO2016164135A1 (en) 2015-04-06 2016-03-09 Wireless network fast authentication / association using re-association object
EP16710908.1A EP3281430A1 (en) 2015-04-06 2016-03-09 Wireless network fast authentication / association using re-association object
KR1020177028181A KR20170134457A (ko) 2015-04-06 2016-03-09 재연관 오브젝트를 사용한 무선 네트워크 고속 인증/연관
TW105107229A TW201637469A (zh) 2015-04-06 2016-03-09 使用再關聯物件的無線網路快速認證/關聯
CN201680020441.5A CN107439029A (zh) 2015-04-06 2016-03-09 使用重新关联对象的无线网络快速认证/关联

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US14/680,023 US9769661B2 (en) 2015-04-06 2015-04-06 Wireless network fast authentication / association using re-association object

Publications (2)

Publication Number Publication Date
US20160295409A1 US20160295409A1 (en) 2016-10-06
US9769661B2 true US9769661B2 (en) 2017-09-19

Family

ID=55586449

Family Applications (1)

Application Number Title Priority Date Filing Date
US14/680,023 Expired - Fee Related US9769661B2 (en) 2015-04-06 2015-04-06 Wireless network fast authentication / association using re-association object

Country Status (6)

Country Link
US (1) US9769661B2 (zh)
EP (1) EP3281430A1 (zh)
KR (1) KR20170134457A (zh)
CN (1) CN107439029A (zh)
TW (1) TW201637469A (zh)
WO (1) WO2016164135A1 (zh)

Families Citing this family (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9998998B2 (en) * 2015-05-14 2018-06-12 Aruba Networks, Inc. RF signature-based WLAN identity management
WO2017024662A1 (zh) * 2015-08-11 2017-02-16 华为技术有限公司 一种接入认证方法及装置
GB2544491B (en) * 2015-11-17 2022-03-02 Airbus Defence & Space Ltd Improvements in and relating to communication links
US10791093B2 (en) * 2016-04-29 2020-09-29 Avago Technologies International Sales Pte. Limited Home network traffic isolation
JP7310449B2 (ja) * 2019-08-29 2023-07-19 ブラザー工業株式会社 第1の通信装置と第1の通信装置のためのコンピュータプログラム
US11206144B2 (en) * 2019-09-11 2021-12-21 International Business Machines Corporation Establishing a security association and authentication to secure communication between an initiator and a responder
CN111726842B (zh) * 2020-05-14 2023-03-03 深圳互由科技有限公司 漫游切换方法、电子设备及计算机可读存储介质
US20210315042A1 (en) * 2020-06-16 2021-10-07 Ido Ouzieli Fast reassociation with an access point
US20220377554A1 (en) * 2021-05-19 2022-11-24 Cisco Technology, Inc. Access point verification using crowd-sourcing
US11700527B2 (en) 2021-05-25 2023-07-11 Cisco Technology, Inc. Collaborative device address rotation
US11902775B2 (en) * 2021-05-28 2024-02-13 Cisco Technology, Inc. Encrypted nonces as rotated device addresses
CN117837184A (zh) * 2021-08-09 2024-04-05 三星电子株式会社 电子装置和使用pmk的方法
US11997482B2 (en) * 2022-02-18 2024-05-28 Qualcomm Incorporated Association protection for wireless networks
WO2023216215A1 (zh) * 2022-05-13 2023-11-16 Oppo广东移动通信有限公司 上下文管理方法、装置、设备、存储介质及程序产品
WO2024026664A1 (en) * 2022-08-02 2024-02-08 Qualcomm Incorporated Reassociation between station and access point

Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030166397A1 (en) * 2002-03-04 2003-09-04 Microsoft Corporation Mobile authentication system with reduced authentication delay
US20040103282A1 (en) * 2002-11-26 2004-05-27 Robert Meier 802.11 Using a compressed reassociation exchange to facilitate fast handoff
US20040243846A1 (en) * 2003-05-30 2004-12-02 Aboba Bernard D. Secure association and management frame verification
US20040240412A1 (en) 2003-05-27 2004-12-02 Winget Nancy Cam Facilitating 802.11 roaming by pre-establishing session keys
US20050117524A1 (en) * 2002-11-08 2005-06-02 Samsung Electronics Co., Ltd. Method for performing handoff in wireless network priority
US20060191000A1 (en) * 2005-02-18 2006-08-24 Cisco Technology, Inc. Key distribution and caching mechanism to facilitate client handoffs in wireless network systems
US20060187878A1 (en) * 2005-02-18 2006-08-24 Cisco Technology, Inc. Methods, apparatuses and systems facilitating client handoffs in wireless network systems
US20060256763A1 (en) 2005-05-10 2006-11-16 Colubris Networks, Inc. Fast roaming in a wireless network using per-STA pairwise master keys shared across participating access points
US20070064647A1 (en) * 2003-09-12 2007-03-22 Ntt Docomo, Inc. Secure intra-and inter-domain handover
US20080267407A1 (en) * 2007-04-26 2008-10-30 Qualcomm Incorporated Method and Apparatus for New Key Derivation Upon Handoff in Wireless Networks
US20080295144A1 (en) * 2003-10-16 2008-11-27 Cisco Technology, Inc. Network client validation of network management frames
US7480939B1 (en) * 2000-04-28 2009-01-20 3Com Corporation Enhancement to authentication protocol that uses a key lease
US20090300739A1 (en) 2008-05-27 2009-12-03 Microsoft Corporation Authentication for distributed secure content management system
US20100189258A1 (en) * 2007-06-14 2010-07-29 France Telecom Method for distributing an authentication key, corresponding terminal, mobility server and computer programs
US8081759B2 (en) 2004-09-15 2011-12-20 Nokia Corporation Apparatus, and an associated method, for facilitating fast transition in a network system
US20140122242A1 (en) 2010-08-24 2014-05-01 Cisco Technology, Inc. Pre-association mechanism to provide detailed description of wireless services
US20140181904A1 (en) 2012-12-21 2014-06-26 Qualcomm Incorporated Deriving a wlan security context from a wwan security context
US20150146524A1 (en) * 2012-06-28 2015-05-28 Kt Corporation Aid reassignment method, and apparatus for performing said aid reassignment method
US20150230245A1 (en) * 2012-09-26 2015-08-13 Lg Electronics Inc. Method and apparatus for gaining access in wireless lan system

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101155396B (zh) * 2006-09-25 2012-03-28 联想(北京)有限公司 一种终端结点切换方法
CN101527906A (zh) * 2009-03-31 2009-09-09 刘建 在扩展服务集中建立安全关联的方法和系统
CN103716795B (zh) * 2012-10-09 2018-04-06 中兴通讯股份有限公司 一种无线网络安全接入方法、装置和系统

Patent Citations (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7480939B1 (en) * 2000-04-28 2009-01-20 3Com Corporation Enhancement to authentication protocol that uses a key lease
US20030166397A1 (en) * 2002-03-04 2003-09-04 Microsoft Corporation Mobile authentication system with reduced authentication delay
US20050117524A1 (en) * 2002-11-08 2005-06-02 Samsung Electronics Co., Ltd. Method for performing handoff in wireless network priority
US20040103282A1 (en) * 2002-11-26 2004-05-27 Robert Meier 802.11 Using a compressed reassociation exchange to facilitate fast handoff
US20040240412A1 (en) 2003-05-27 2004-12-02 Winget Nancy Cam Facilitating 802.11 roaming by pre-establishing session keys
US20040243846A1 (en) * 2003-05-30 2004-12-02 Aboba Bernard D. Secure association and management frame verification
US20070064647A1 (en) * 2003-09-12 2007-03-22 Ntt Docomo, Inc. Secure intra-and inter-domain handover
US20080295144A1 (en) * 2003-10-16 2008-11-27 Cisco Technology, Inc. Network client validation of network management frames
US8081759B2 (en) 2004-09-15 2011-12-20 Nokia Corporation Apparatus, and an associated method, for facilitating fast transition in a network system
US20060187878A1 (en) * 2005-02-18 2006-08-24 Cisco Technology, Inc. Methods, apparatuses and systems facilitating client handoffs in wireless network systems
US20060191000A1 (en) * 2005-02-18 2006-08-24 Cisco Technology, Inc. Key distribution and caching mechanism to facilitate client handoffs in wireless network systems
US20060256763A1 (en) 2005-05-10 2006-11-16 Colubris Networks, Inc. Fast roaming in a wireless network using per-STA pairwise master keys shared across participating access points
US20080267407A1 (en) * 2007-04-26 2008-10-30 Qualcomm Incorporated Method and Apparatus for New Key Derivation Upon Handoff in Wireless Networks
US20100189258A1 (en) * 2007-06-14 2010-07-29 France Telecom Method for distributing an authentication key, corresponding terminal, mobility server and computer programs
US20090300739A1 (en) 2008-05-27 2009-12-03 Microsoft Corporation Authentication for distributed secure content management system
US20140122242A1 (en) 2010-08-24 2014-05-01 Cisco Technology, Inc. Pre-association mechanism to provide detailed description of wireless services
US20150146524A1 (en) * 2012-06-28 2015-05-28 Kt Corporation Aid reassignment method, and apparatus for performing said aid reassignment method
US20150230245A1 (en) * 2012-09-26 2015-08-13 Lg Electronics Inc. Method and apparatus for gaining access in wireless lan system
US20140181904A1 (en) 2012-12-21 2014-06-26 Qualcomm Incorporated Deriving a wlan security context from a wwan security context

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Akin D., et al., "Robust Security Network (RSN) Fast BSS Transition (FT)," White Paper, Certified Wireless Network Professional, Sep. 2008, Version 2.03, pp. 1-32.
International Search Report and Written Opinion-PCT/US2016/021604-ISA/EPO-Jun. 1, 2016.
International Search Report and Written Opinion—PCT/US2016/021604—ISA/EPO—Jun. 1, 2016.

Also Published As

Publication number Publication date
WO2016164135A1 (en) 2016-10-13
US20160295409A1 (en) 2016-10-06
EP3281430A1 (en) 2018-02-14
CN107439029A (zh) 2017-12-05
TW201637469A (zh) 2016-10-16
KR20170134457A (ko) 2017-12-06

Similar Documents

Publication Publication Date Title
US9769661B2 (en) Wireless network fast authentication / association using re-association object
US20180278625A1 (en) Exchanging message authentication codes for additional security in a communication system
US10932132B1 (en) Efficient authentication and secure communications in private communication systems having non-3GPP and 3GPP access
US10123257B2 (en) Wireless extender secure discovery and provisioning
AU2011201655B2 (en) Security Authentication and Key Management Within an Infrastructure-Based Wireless Multi-Hop Network
US10694376B2 (en) Network authentication method, network device, terminal device, and storage medium
US8023478B2 (en) System and method for securing mesh access points in a wireless mesh network, including rapid roaming
US8175272B2 (en) Method for establishing secure associations within a communication network
EP3082354B1 (en) Location privacy protection methods and devices
US20050152305A1 (en) Apparatus, method, and medium for self-organizing multi-hop wireless access networks
US20150127949A1 (en) System and method for integrated mesh authentication and association
CN108702626B (zh) 无线广域网(wwan)无线局域网(wlan)聚合保全
WO2014040481A1 (zh) 一种无线网格网认证方法和系统
KR20120091635A (ko) 통신 시스템에서 인증 방법 및 장치
Lee A novel design and implementation of DoS-resistant authentication and seamless handoff scheme for enterprise WLANs
Zhang A Secure Authentication Scheme of Wireless Mesh Network

Legal Events

Date Code Title Description
AS Assignment

Owner name: QUALCOMM INCORPORATED, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LEE, SOO BUM;MALINEN, JOUNI KALEVI;PALANIGOUNDER, ANAND;SIGNING DATES FROM 20141105 TO 20141111;REEL/FRAME:035374/0985

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN)

STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20210919